Cybersecurity threats seem to be mounting by the day. However, ISO 27002 empowers managers to build optimal systems to fight them.
In May 2022, the University of Cambridge released a report detailing how agricultural robots are vulnerable to targeted attacks from hackers. It's an exploit that could threaten the global food supply. Meanwhile, this month, the trial of the perpetrator of one of the largest data breaches in history draws to a close. A U.S. federal jury convicted Paige Thompson of stealing the personal data of over 100 million bank customers.
The former Amazon engineer hacked past Capital One's data security—a move that cost the company over $270 million in fines and settlement fees.
No industry is immune to cyberattacks or data breaches. And, no matter what industry you work in, the consequences of breaches can be severe. One of the best tools leaders can use to combat these risks are the ISO 27000 series of standards. And, within that series, ISO 27002 is particularly useful.
In this article
- What is ISO 27002?
- What is the ISO 27000 Series?
- What are the core principles of ISO 27002?
- ISO 27002: Key benefits
- Why did ISO/IEC update 27002 in 2022?
- Key differences between ISO 27002:2022 vs ISO 27002:2013
- How is ISO 27002 related to ISO 27001?
- How does the ISO 27002:2022 update impact an organisation's ISO 27001?
- What are ISO 27002 compliance requirements?
- Does ISO 27001 certification cover ISO 27002?
- Elevate information security with DataGuard
What is ISO 27002?
ISO 27002 is an information security standard in the ISO 27000 series.
It empowers organisations to implement information security controls, and to develop and optimise an information security management system (ISMS). It details internationally recognised best practices for ISMS implementation.
ISO 27002 also gives organisations the tools to develop effective security management protocols unique to an organisation's needs.
The ISO and IEC published the most recent version of this standard in 2022. You can purchase the complete 27002 standard from the ISO's website.
What is the ISO 27000 Series?
The ISO 27000 family of standards is a set of rules that guide information security best practices. They articulate the minimum acceptable requirements of an information security management system (ISMS).
Two organisations are responsible for publishing these standards:
- The International Electrotechnical Commission (IEC)
- The International Organisation for Standardisation (ISO)
The International Organisation for Standardisation was formed in 1947. Since then, it has worked toward the goal of creating functional, unified technical standards in a wide range of industries.
167 countries' standardisation organisations are represented in the ISO.
History of ISO 27000 Series
The ISO 27000 series originated in the oil and gas industry.
Shell PTC donated its corporate information security standards to a UK initiative in the 1990s. It was adapted and evolved over time until, in the year 2000, ISO/IEC utilised it for the international security standard ISO/IEC 17799.
In 2005, ISO/IEC revised the standard. In 2007, the organisations reorganised the standards and retitled the series. This led to them establishing ISO 27002 within the series.
ISO 27002 Establishment, Revision
ISO 27002 is a portion of the security standard series dedicated to best practices. Specifically, it recommends optimal security controls for anyone who initiates, implements, or maintains an ISMS system.
After establishing ISO 27002, the organisations continued to adapt and revise the standards. ISO 27002 underwent major revisions in 2013 and 2022.
New Cloud-Based Environment Standard
In 2015, ISO/IEC elaborated on the practices articulated in ISO 27002 in a new, related standard: ISO 27017.
Similar to ISO 27002, ISO 27017 describes optimal security controls for those creating or maintaining an ISMS system, or those putting one into practice.
But, this standard specifically notes best practices for ISMS implementation applied to cloud-based environments. As a whole, ISO 27017 aims to keep information safer in the cloud.
What are the core principles of ISO 27002?
The ISO developed the 27002 standard from the information security triad. The CIA named the three principles in the triad the cornerstones of data security. The principles are:
- Confidentiality
- Data integrity
- Availability
Confidentiality
Confidentiality is a mechanism to ensure only those with authorisation can access the data. Confidentiality agreements may limit what authorised users can do with the data, or where they can publish it.
Confidentiality mechanisms may be legal (non-disclosure agreements), professional norms (physician-patient privilege), or technological (encryption, password protection).
Data Integrity
Data integrity functions to keep data accurate and complete. It prevents data from degrading over time. Certain checks may prevent erroneous data from being entered.
Availability
Availability empowers authorised users to access the data when they need it. Patients have the right to access their personal health data within 30 days of request.
ISO 27002: Key benefits
Organisations net several benefits when they choose to implement the ISO 27002 recommendations.
Developing an ISMS with ISO 27002's guidance results in a greater degree of security than other methods. Specific benefits include:
- An evidence-based framework
- Easy-to-follow guide on best practices such as:
- Evaluation
- Implementation
- Maintenance
- Management
- Increased productivity due to time, resources saved
- Increased trust from partners and clients
- Easier cooperation with multinational businesses
- Advantages when bidding on international contracts
- Reduced insurance premiums
- Reduce risk of data breach, fines
Moreover, ISO 27002 is a thorough document. Each aspect has the potential to highlight a key vulnerability a company may otherwise miss. And, each section offers detailed, specific guidance on how to address it.
Why did ISO/IEC update 27002 in 2022?
ISO updated the standard to better address changes in technology, international laws, and the evolving nature of cybersecurity threats.
Typically, the ISO reviews standards on 5-7 year cycles. But, ISO began the review of 27002 in 2018, and it wrapped revisions in 2021. The current version was finalised and published in 2022.
So, it effectively updated the standard in record time.
Key differences between ISO 27002: 2022 vs ISO 27002:2013
Both versions of ISO 27002 detailed best practices when developing an ISMS system. The best practices are organised—in both versions—as a series of controls.
The 2022 version of ISO 27002 has 21 fewer controls, in total, than the 2013 version. Many of the 2013 standard's controls were merged or cut—either because they no longer applied, or were redundant.
The 2022 version of the standard also introduced 11 new controls. These account for new best practices. The ISO also updated 58 controls to incorporate insights that emerged since 2013.
ISO 27002:2022 also differs structurally from its predecessor. While the 2013 version was organised into 14 domains, the 2022 version organises controls into four "categories."
Each control in the 2022 standard includes a "purpose" element. This helps managers understand the underlying theory and potential benefits of implementing a given control.
ISO 27002:2022 also includes "attributes" for each control. This helps managers adapt a control to their organisations' unique needs.
The updated standard includes two Annexes. Both Annex A and Annex B can help managers adapt to the new standards, either from the 2013 version or from scratch.
How is ISO 27002 related to ISO 27001?
The subject of the relationship between ISO 27002 and ISO 27001 is complex enough to warrant its own article.
So, we wrote one. Feel free to read "ISO 27001 vs ISO 27002: How Are They Different?" to understand this topic in greater detail.
Here, we'll simply summarise the key points of comparison and contrast between the two standards.
ISO 27001 vs. ISO 27002 (Comparison)
Certain data security organisations offer ISO 27001 certification. But, no firms offer ISO 27002 certification. Why is that?
ISO 27002 is meant to be a supplement to ISO 27001. In brief, ISO 27001 is a set of objectives, or goals. If an organisation's ISMS system meets those goals, it can earn ISO 27001 certification.
ISO 27001 gives a thorough explanation of what an organisation must do to implement an ISMS successfully. It is often considered a 16-point checklist.
ISO 27002 enables organisations to effectively complete each task on the checklist by providing more detailed guidance. The standard breaks down each point on the checklist into a series of controls a manager can implement.
An organisation does not need to implement each control to earn ISO 27001 certification. Other methods of creating and maintaining a 27001-compliant ISMS are fine.
ISO 27002 is largely beneficial because it takes much of the guesswork and trial-and-error out of ISMS implementation.
How does the ISO 27002:2022 update impact an organisation's ISO 27001?
If an organisation was previously ISO 27001 certified, it likely used the ISO 27002:2013 standard to implement and maintain its ISMS. In that case, the organisation's ISMS may not provide optimal security.
ISO 27002 accounts for many technological and legal changes in the past nine years. This accounting enables ISO 27002 to offer superior, more up-to-date controls and guidance than the previous version.
Cybersecurity organisations strongly recommend updating any ISO 27001 systems in place to incorporate improved practices in the ISO 27002:2022 version.
What are ISO 27002 compliance requirements?
Technically, the information in ISO 27002 enables organisations to meet ISO 27001 standards. 27001 compliance is necessary to earn credentials from an ISO 27001 certification body.
ISO 27002 has a specific scope. In a straightforward, applicable structure, it provides:
- Optimal information security techniques
- Security management controls applicable to:
- Technical physical security (hardware, software, physical storage)
- Computer and cybersecurity
- Human resource protocols (confidentiality measures)
- Meet regulatory compliance mandates (GDPR, PCI-DSS, etc)
- References to meet context-specific security objectives
The standard offers 93 controls in four distinct categories. The categories are:
- Technological controls (IT tools)
- People controls (human behaviours, roles, responsibilities, liability)
- Physical controls (physical asset protection measures)
- Organisational controls
ISO 27002 provides alternative ways to categorise the controls. This is useful, as many controls have multiple possible applications. Categorical attributes associated with each control include:
- Control method
- Threat prevention
- Threat detection
- Threat correction
- Core principle properties
- Confidentiality
- Data integrity
- Availability
- Security concept
- Identify
- Protect
- Detect
- Respond
- Recover
- Operational capabilities
- Domains
- Governance
- Ecosystem
- Protection
- Defence
- Resilience
No matter how the controls are categorised, an organisation can work through each control and implement it. Each control measure has enough detail to empower managers in a wide range of organisations to put it into practice.
Does ISO 27001 certification cover ISO 27002?
Typically, yes. ISO 27002 is a supplement to ISO 27001. It is much easier to earn ISO 27001 certification with ISO 27002.
Elevate Information Security with DataGuard
ISO 27002 is a useful set of standards for any organisation that needs to protect confidential data.
Organisations seeking ISO 27001 certification are wise to take the 27002 control recommendations into serious consideration. Cybersecurity experts can empower businesses to parse the ISO standards—no matter the complexity.
Interested in learning how to apply these best practices to your ISMS? Get in touch with us today.